Veteran UK retailer Marks & Spencer (M&S) has apologised to customers after a cyber incident of a currently undisclosed nature forced multiple public-facing services offline, with shoppers predictably taking to social media in their droves to lament the outages.
In a note published on the afternoon of 22 April, the company revealed it had been “managing a cyber incident” affecting contactless payments and online click-and-collect services over the Easter Bank Holiday.
According to reports, a second technical problem occurred at the weekend affecting only contactless payments.
“As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced,” a spokesperson said.
“Importantly, our stores remain open and our website and app are operating as normal.
“Customer trust is incredibly important to us, and if the situation changes an update will be provided as appropriate,” they added.
M&S additionally said it has enlisted third-party cyber forensics to assist with incident management, and is taking further actions to protect its network and ensure it can continue to maintain its customer services.
Computer Weekly also understands the cyber attack has been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
“The incident at Marks & Spencer serves as a reminder of the interdependencies in modern retail operations. The disruption to click-and-vollect services and contactless payments underscores how any technical issue can have far-reaching consequences across an entire organisation,” said Javvad Malik, lead security awareness advocate at KnowBe4.
“M&S’s prompt communication and engagement with the ICO demonstrate a commendable level of transparency and regulatory compliance. However, the event also reveals potential gaps in cyber resilience and crisis management strategies.”
Although unconfirmed at this stage, the nature of the attack’s impact, and the language deployed by M&S, suggests that the retailer may be dealing with the impact of a ransomware attack on certain systems.
Retailers are vulnerable
But regardless of the precise nature of the incident, it is by no means an isolated one, with retailers frequently in the crosshairs of threat actors.
For example, retailers have high public brand awareness upon which cyber criminals like to capitalise for their own fame and notoriety.
Added to this, cyber criminals can use the seasonal nature of the retail sector to ramp up pressure on the victim by disrupting their business at a critical point and making them more likely to cave to extortion demands – the timing of the M&S incident over the long Easter weekend may bear this out.
Meanwhile, the growth of omnichannel approaches to retail increases the exposed attack surface, as does adoption of new technologies, such as AI-powered recommendation engines.
According to NCC Group, the consumer cyclicals (non-essential purchases) and non-cyclicals (essential purchases) sectors, which both encompass retailers in general, were the second and fifth most targeted verticals by cyber criminal ransomware gangs in the first half of 2024.
“There is an urgent need for all sectors to respond to this increased targeting from threat actors, but especially those storing huge amounts of data,” said Matt Hull, global head of threat intelligence at NCC Group.
“Now more than ever businesses should expect to be a target for cyber criminals and take a proactive approach to security rather than waiting for potential threats to strike.”
